Traditional perimeter defenses are no longer able to prevent advanced persistent threats (APT) to a network. APT attacks are carried out by sophisticated attackers using concentrated and coordinated efforts that eventually succeed in getting a foothold inside the enterprise network. Once an attacker gets into the network, the next steps will be to learn the network, critical assets and try to move laterally to different systems looking for sensitive and confidential data.
The attacker has to learn the network and critical assets in a way that doesn't expose him. Any active scan or sweep by the attacker to identify assets can easily be caught by security devices in the network. So attackers use a passive approach to detect assets on the network which could include:
Netstat provides all the active connections on an endpoint.
An ARP cache provides the IP to MAC mapping for the devices in the layer2 broadcast domain with which there were packet exchanges.
A Routing table provides an idea about the network and communication paths.
A DNS cache provides the list of recently resolved domain names.
Network shares
Broadcast and multicast traffic
The systems and methods disclosed herein provide an improved approach for dealing with APT attacks.